[Freeipa-users] getent passwd / group [SOLVED]
Rob Crittenden
rcritten at redhat.com
Wed Oct 29 00:34:13 UTC 2014
Craig White wrote:
> *From:*Dmitri Pal [mailto:dpal at redhat.com]
> *Sent:* Tuesday, October 28, 2014 5:10 PM
> *To:* Craig White; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]
>
>
>
> On 10/28/2014 04:41 PM, Craig White wrote:
>
> *From:*freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Craig White
> *Sent:* Tuesday, October 28, 2014 1:28 PM
> *To:* dpal at redhat.com <mailto:dpal at redhat.com>;
> freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]
>
>
>
> *From:*Dmitri Pal [mailto:dpal at redhat.com]
> *Sent:* Tuesday, October 28, 2014 10:04 AM
> *To:* Craig White; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] getent passwd / group
>
>
>
> On 10/28/2014 12:11 PM, Craig White wrote:
>
> *From:*freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Monday, October 27, 2014 5:32 PM
> *To:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] getent passwd / group
>
>
>
> On 10/27/2014 07:38 PM, Craig White wrote:
>
> RHEL 6.5 – new install
>
> ipa-server-3.0.0-42.el6.x86_64
>
> 389-ds-base-1.2.11.15-47.el6.x86_64
>
>
>
> On the master, I get nothing
>
>
>
> [root at ipa001 log]# getent passwd admin
>
> [root at ipa001 log]#
>
>
>
> But it works on the replica as expected
>
>
>
> [root at ipa002nadev01 ~]# getent passwd admin
>
> admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash
>
>
>
> I am used to using PADL / NSSWITCH with OpenLDAP and I am
> rather surprised that on both, ‘getent passwd’ and ‘getent
> group’ return only entries from local files but then again,
> I’ve never used sssd before.
>
>
>
> REJECT all -- 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-host-prohibited
>
>
> Then we need SSSD logs with the debug_level in the right sections as
> Jakub mentioned in his mail.
> ----
>
> Sorry – I had a long meeting and should have noted that after
> restarting SSSD, it all started working again as expected. Clearly
> something I have to watch for and indeed, I moved the debug to the
> domain section for future.
>
> I should add – came to the realization that restarting sssd and went to long meeting, then came back and couldn’t log into ipa console or Kerberos and had to restart IPA service to restart Kerberos.
>
>
>
> IPA is logging nothing.
>
>
>
> This is not the first time I have had to go through this cycle – it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too.
>
>
>
> Thanks
>
>
>
> Craig
>
>
> Is this on the same server?
> ----
>
> Yes, same server
the one I call the master. The first one I set up. I’m
> getting tuned in to the checking the status of dirsrv and ipa but now I
> know to check the status of the sssd too.
>
>
>
> Seems like it crashes a little too easily – I doubt I did much to harm it
I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS.
>
>
>
> But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA.
Ok, and to be clear if it crashes again Rich needs to get a stacktrace.
Logs won't be enough.
rob
More information about the Freeipa-users
mailing list